Cisco ASA 5505 AnyConnect SSL VPN problem

Molehand76 · ‎11-12-2012

Hi!

I have a small network, wiht ASA 5505, 8.4:

Inside network: 192.168.2.0/24

Outside: Static IP

I would like to deploy a SSL AnyConnect setup.

The state:

-I give the correct IP from my predefined VPN pool (10.10.10.0/24).

But, could not reach any resource, could not ping too. My host has given 10.10.10.1 IP, and I had a GW: 10.10.10.2. Where is this GW from?

Could you help me?

*******************************************************************************************

Here is my config (I omitted my PUBLIC IP, and GW):

Result of the command: "show running-config"

: Saved

:

ASA Version 8.4(4)1

!

hostname valamiASA

domain-name valami.local

enable password OeyyCrIqfUEmzen8 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 12

!

interface Vlan1

description LAN

no forward interface Vlan12

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

description WAN

nameif outside

security-level 0

ip address MY_STATIC_IP 255.255.255.248

!

interface Vlan12

description Vendegeknek a valamiHotSpot WiFi-hez

nameif guest

security-level 100

ip address 192.168.4.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone GMT 0

dns domain-lookup inside

dns domain-lookup outside

dns domain-lookup guest

dns server-group DefaultDNS

name-server 62.112.192.4

name-server 195.70.35.66

domain-name valami.local

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network inside-net

subnet 192.168.2.0 255.255.255.0

object network guest-net

subnet 192.168.3.0 255.255.255.0

object network NETWORK_OBJ_192.168.2.128_25

subnet 192.168.2.128 255.255.255.128

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object ip

protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

access-list global_access extended permit object-group DM_INLINE_PROTOCOL_3 any any

access-list AnyConnect_Client_Local_Print extended deny ip any any

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu guest 1500

ip local pool valami_vpn_pool 10.10.10.1-10.10.10.10 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

no asdm history enable

arp timeout 14400

!

object network inside-net

nat (inside,outside) dynamic interface

object network guest-net

nat (guest,outside) dynamic interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group global_access global

route outside 0.0.0.0 0.0.0.0 MY_STATIC_GW 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa local authentication attempts max-fail 16

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable inside

enable outside

anyconnect-essentials

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_valami_VPN internal

group-policy GroupPolicy_valami_VPN attributes

wins-server value 192.168.2.2

dns-server value 192.168.2.2

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelall

default-domain value valami.local

webvpn

anyconnect ssl rekey time 30

anyconnect ssl rekey method ssl

anyconnect ask enable default anyconnect timeout 30

customization none

deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.

username test password P4ttSyrm33SV8TYp encrypted

tunnel-group valami_VPN type remote-access

tunnel-group valami_VPN general-attributes

address-pool valami_vpn_pool

default-group-policy GroupPolicy_valami_VPN

tunnel-group valami_VPN webvpn-attributes

group-alias valami_VPN enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:d54de340bb6794d90a9ee52c69044753

: end

ALIAOF_ · ‎11-12-2012

You need to setup an exemption, your inside network to the VPN network. And the VPN pool, make it from 10.10.10.10 to whatever this way your gateway will be 10.10.10.1 just easier that way.

Here are my notes which might help:

http://news.mali77.com/index.php/2012/11/configuring-cisco-any-connect-on-cisco-asa-8-4/

Molehand76 · ‎11-14-2012

First of all thanks your link.

I know your notes, but i don't understand 1 thing:

if i check nat exemption in the anyconnect wizad, why should i make nat exemption rule?

A tried creating a roule, but it is wrong.

My steps (on ASDM):

1: create network object (10.10.10.0/24), named VPN

2: create nat rule: source any, destination VPN, protocol any

Here is my config:

Result of the command: "show running-config"

: Saved

:

ASA Version 8.4(4)1

!

hostname companyASA

domain-name company.local

enable password OeyyCrIqfUEmzen8 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 12

!

interface Vlan1

description LAN

no forward interface Vlan12

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

description WAN

nameif outside

security-level 0

ip address 77.111.103.106 255.255.255.248

!

interface Vlan12

description Vendegeknek a companyHotSpot WiFi-hez

nameif guest

security-level 100

ip address 192.168.4.1 255.255.255.0

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup inside

dns domain-lookup outside

dns domain-lookup guest

dns server-group DefaultDNS

name-server 62.112.192.4

name-server 195.70.35.66

domain-name company.local

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network inside-net

subnet 192.168.2.0 255.255.255.0

object network guest-net

subnet 192.168.3.0 255.255.255.0

object network NETWORK_OBJ_192.168.2.128_25

subnet 192.168.2.128 255.255.255.128

object network WEBSHOP

host 192.168.2.2

object network INSIDE_HOST

host 10.100.130.5

object network VOIP_management

host 192.168.2.215

object network Dev_1

host 192.168.2.2

object network Dev_2

host 192.168.2.2

object network RDP

host 192.168.2.2

object network Mediasa

host 192.168.2.17

object network VOIP_ePhone

host 192.168.2.215

object network NETWORK_OBJ_192.168.4.0_28

subnet 192.168.4.0 255.255.255.240

object network NETWORK_OBJ_10.10.10.8_29

subnet 10.10.10.8 255.255.255.248

object network VPN

subnet 10.10.10.0 255.255.255.0

object network VPN-internet